The President of the UODO has fined the Independent Public Health Care Center in Pajęczno 40 thousand zlotys. As a result of the hacking attack, the facility lost access to patient and employee data. It took corrective action only after the fact. Before that, it had not conducted a risk analysis for personal data. Thus, it could not effectively protect personal data.
UODO has imposed a fine on SPZOZ in Pajęczno. The issue is the loss of personal data
Published Aug. 27, 2024 09:00
Fot. iStock/Getty Images
The hacking attack occurred in February 2022. The malicious ransomware encrypted the personal data of 30,000 patients and more than a thousand employees. ZOZ notified the Office of Data Protection and the police. However, it concluded that the attack was not serious, because the data did not leak - it only became inaccessible (an external expert indicated that the data could not be decrypted - the attackers made decrypting the data conditional on paying a ransom in cryptocurrency).
However, the President of the DPA determined in the proceedings that the matter was significant. The ORO did not respond to the threat to personal data until after the attack. At that time it called in experts, who pointed out security gaps and recommended changes. Training was also held for employees on IT and data security.
However, the SPA did not have - and this is crucial in the opinion of the DPA - documents confirming the preparation and updating of a risk analysis for personal data. Data security was entrusted to an IT specialist, who analyzed, among other things, vulnerabilities, threats, possible consequences of a breach, and security measures to ensure the confidentiality, integrity and availability of processed personal data on an ongoing basis. This could in no way ensure proper control over data security.
As a result, the procedures adopted at the HCA were not adequate for the risks to personal data. This was demonstrated by an audit already conducted after the attack.
Lacking a risk analysis, the SPA also made mistakes after the incident - it reported its problem to the DPA and the Police, but failed to notice the problem to the data subjects. It failed to notify them that it had lost control of data such as first and last name, parents' names, date of birth, bank account number, home or residence address, PESEL no., username and/or password, data on earnings or assets owned, mother's family name, ID card series and number, phone number, and health data.
The SPA believed that it didn't need to notify those concerned, because the data wasn't stolen, it just doesn't have access to it. Only that the findings show that there is no trace of data leakage. However, this does not mean that the hackers did not copy the data for themselves.
Besides, as the DPA points out, if the HCP had made a sound data risk analysis, it would have known that the problem was not only data leakage, but that patients were losing access to their health data. Such a risk cannot be assessed as low. And a different risk qualification would have prompted the HCA to put better safeguards in place.
In addition to the financial penalty, the OODO president recommended that appropriate technical and organizational measures be implemented within 30 days to ensure the security of data processing in IT systems. He also ordered that data subjects be notified of the incident, explained to them what had happened, outlined the possible consequences of the incident, and indicated who could provide more information on the subject at the OHSU.
Source: UODO
